Playing with Jenkins File Read [CVE-2024-23897]

Описание к видео Playing with Jenkins File Read [CVE-2024-23897]

I'm looking at CVE-2024-23897, a partial file read vulnerability in Jenkins that leads to RCE. The goal of this video is to understand the vulenrability and look at a Python POC for the exploit, understand what it does, and then run it and compare it to the output when exploiting manually with the Jenkins CLI (using Java as a Jar file).

Jenkins CVE-2024-23897 disclosure: https://www.jenkins.io/security/advis...
Jenkins CLI: https://www.jenkins.io/doc/book/manag...
POC: https://github.com/binganao/CVE-2024-...

☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf

[00:00] Introduction
[01:06] Jenkins security advisory
[02:26] Python POC
[05:34] Exploitation with CLI
[07:25] Python POC
[08:32] Isolating list of commands
[10:35] Starting while loop over commands
[11:22] Rabbit hole about bash loop
[16:15] Getting stats on each command
[19:19] Future work
[20:06] Conclusion

#pentest #ctf #bugbounty #jenkins #java #python

Комментарии

Информация по комментариям в разработке